b'September 2008\nReport No. AUD-08-015\n\n\nProtection of Resolution and\nReceivership Data Managed or\nMaintained by an FDIC Contractor\n\x0c                                               Report No. AUD-08-015                                                 September 2008\n\n                                               Protection of Resolution and Receivership\n                                               Data Managed or Maintained by an FDIC\n   Federal Deposit Insurance Corporation       Contractor\nWhy We Did The Audit\n                                               Audit Results\nThe FDIC\xe2\x80\x99s Division of Resolutions and\nReceiverships (DRR) is responsible for         DRR\xe2\x80\x99s closing support BOA contains the necessary privacy and information security\nall activities related to the closing, field   clauses consistent with FDIC guidance that was in place when the FDIC awarded the\nmanagement, and resolution of failed                                                        KEY FDIC\n                                               contract. Moreover, the Statement of Work contains        PRIVACY\n                                                                                                   a clause         AND\n                                                                                                             requiring that the\nfinancial institutions. The objectives of      contractor comply with all FDIC policies and S ECURITY C\n                                                                                            procedures,    LAUSES any new policies\n                                                                                                         including\nthis audit were to (1) determine whether       and procedures developed during the contract term. For instance, the contractor\nthe closing support contract used by the       would be required to comply with the FDIC\xe2\x80\x99s policy for safeguarding information\nDRR Business Information Systems               described in FDIC Circular 1360.9, Protecting Sensitive Information, which became\n(BIS) Section contains privacy and             effective after the contract award date.\ninformation security clauses to protect\npre-closing and failed institution data\n                                               The OM is taking multiple steps to ensure the contractor is aware of, and complying\nand (2) evaluate the steps the FDIC\nOversight Manager (OM) takes to                with, the privacy and information security clauses. For example, the OM reviewed\nensure the contractor is complying with        the contractor\xe2\x80\x99s IT security plan and routinely monitors the status of background\nprivacy and information security               investigations for contractor personnel. The OM is planning to take additional steps\nclauses.                                       to ensure the contractor has complied with the FDIC\xe2\x80\x99s training requirements and to\n                                               sustain contractor attention regarding its responsibilities for safeguarding\nBackground                                     information. With regard to IT equipment, as necessitated by a business need at the\n                                               time the FDIC awarded the contract, the FDIC did not furnish the contractor with\nThe FDIC has established a risk-based\n                                               laptops and has since relied on the contractor to maintain its laptops consistent with\ncorporate-wide security program and a          FDIC information security standards. In June 2008, DRR established a pool of\nprivacy program to protect the sensitive       laptops provided by the Division of Information Technology for contractor use.\ninformation the Corporation manages.           Furnishing FDIC equipment allows the FDIC to ensure the security of information\nThese programs include guidance for            stored on the laptops and allows contractor personnel to store sensitive data on the\ncontractors and OMs to help ensure             laptops as circumstances dictate without violating FDIC policy for protecting\ncontractors are complying with                 sensitive information. With regard to the contractor\xe2\x80\x99s laptops used prior to June\ngovernment-wide and FDIC information           2008, the FDIC is requiring that the contractor sanitize those laptops in accordance\nsecurity policies and procedures.              with FDIC procedures. A Technical Monitor is helping the OM coordinate with the\n                                               contractor to ensure the process is completed in a timely manner. In the interim, the\nThe FDIC collects sensitive information        contractor has physically secured all of its laptops until the sanitization process is\nwhen conducting resolution and                 completed. The Technical Monitor is maintaining a log to track the deployment of\nreceivership activities at FDIC-insured        the FDIC\xe2\x80\x99s laptops to contractor personnel.\nfinancial institutions. Such information\nincludes personally identifiable               One area warrants additional attention. The Contracting Officer and OM found\ninformation (e.g., name, address, Social       Confidentiality Agreements for only 32 (70 percent) of 46 contractor personnel.\nSecurity number, phone number, and             Confidentiality Agreements document an individual\xe2\x80\x99s understanding of, and\naccount and loan data) for institution         commitment to, safeguarding data and are a key security requirement under the\ndepositors, borrowers, and employees.\n                                               contract. FDIC policy and the BOA are clear that the Contracting Officer is\nDRR\xe2\x80\x99s BIS Section, located in the\n                                               responsible for ensuring that contractor personnel sign the agreements and for\nFDIC\xe2\x80\x99s Dallas Regional Office, is\nresponsible for securing all the\n                                               maintaining them in the contract file. Strengthening controls over Confidentiality\noperating systems, data, and hardware          Agreements will help to further protect sensitive resolution and receivership\nonce a failing institution is closed. To       information.\nthat end, DRR has established a Basic\nOrdering Agreement (BOA) to obtain             Recommendation and Management Response\ninformation technology (IT) support for\nthe BIS Section. A BOA is an                   We recommended that the FDIC establish controls to ensure that Contracting\nagreement setting forth the terms and          Officers obtain signed Confidentiality Agreements from all contractor personnel\nconditions to be applied to future task        required to submit such agreements and maintain copies of those agreements in the\norders. The FDIC\xe2\x80\x99s policies address the        contract file. Management concurred with our recommendation and is taking\nIT security requirements that should be        responsive corrective action.\nincorporated into IT procurements.\n\n\n   To view the full report, go to www.fdicig.gov/2008reports.asp\n\x0cContents\n    BACKGROUND                                                            2\n\n    AUDIT OBJECTIVES                                                      5\n\n    AUDIT APPROACH                                                        6\n\n    RESULTS OF AUDIT                                                      7\n\n    PRIVACY AND INFORMATION SECURITY CLAUSES                              9\n\n    STEPS TAKEN BY THE OM                                                15\n\n    CONCLUSION                                                           23\n\n    RECOMMENDATION                                                       24\n\n    CORPORATION COMMENTS AND OIG EVALUATION                              25\n\n    APPENDICES\n      1. OBJECTIVES, SCOPE, AND METHODOLOGY                              26\n       2. CORPORATION COMMENTS                                           31\n       3. MANAGEMENT RESPONSE TO THE RECOMMENDATION                      33\n       4. ACRONYMS USED IN THE REPORT                                    34\n\n    TABLES\n       1. OIG Analysis of BIS Closing Support Contract Clauses           11\n       2. OIG Analysis of Oversight Related to Privacy and Information\n          Security                                                       19\n\n    FIGURES\n      1. Composition of the Contractor\xe2\x80\x99s Team                            3\n       2. Summary of the Contractor\xe2\x80\x99s Primary Responsibilities           4\n\n\n\n                                                     1\n\x0cBackground\n\xe2\x80\xa2   The FDIC\xe2\x80\x99s Division of Resolutions and Receiverships (DRR) is responsible for all activities related to the\n    closing, field management, and resolution of failed financial institutions.\n\n\xe2\x80\xa2   The FDIC has established a risk-based corporate-wide information security program and a privacy program\n    to protect the sensitive information that the Corporation manages. These programs consist of corporate\n    policies, procedures, and guidance; a Chief Information Security Officer and Chief Privacy Officer with\n    overall responsibility for information security and privacy, respectively; Information Security Managers\n    (ISM) within the FDIC\xe2\x80\x99s program divisions and offices to ensure a business focus on information security\n    and privacy; and mandatory information security and privacy awareness training for FDIC employees and\n    contractor personnel.\n\n\xe2\x80\xa2   Key to achieving the FDIC\xe2\x80\x99s mission is safeguarding the sensitive information the Corporation collects\n    when conducting resolution activities. Such information includes sensitive personally identifiable\n    information (e.g., names, addresses, Social Security numbers, phone numbers, and account and loan data)\n    for institution depositors, borrowers, and employees.\n\n\xe2\x80\xa2   Under the umbrella of the corporate program, DRR has established a number of controls to integrate\n    information security and privacy protection into its business operations and systems \xe2\x80\x93 including appointing\n    an ISM, defining security business rules for resolution and receivership data, and developing division-\n    specific policies and guidelines for safeguarding the sensitive information the Corporation handles.\n\n\n\n\n                                                 2\n\x0cBackground\n\xe2\x80\xa2   DRR\xe2\x80\x99s Business Information Systems (BIS)\n    Section in the Dallas Regional Office is\n    responsible for identifying all electronic\n    equipment, data systems, Web sites, and Internet\n    banking services and products at a failing/failed      Figure 1: Composition of the Contractor\xe2\x80\x99s Team\n    financial institution and securing all operating\n                                                           Generally, one or more of the following are on the\n    systems, data, and hardware once the failing           team:\n    institution is closed.\n                                                           \xe2\x99\xa6 IT Manager (Electronic Data Processing Manager)\n                                                           \xe2\x99\xa6 IT Security Specialist\n\xe2\x80\xa2   In February 2006, DRR established a Basic\n                                                           \xe2\x99\xa6 Network Local Area Network (LAN) Specialist\n    Ordering Agreement (BOA) with Deloitte                   (LAN/Wide Area Network Administrator)\n    Consulting (contractor) to provide information         \xe2\x99\xa6 IT Specialist (Hardware Support Specialist)\n    technology (IT) support services required during       \xe2\x99\xa6 IT Specialist (Download Specialist)\n    the resolution of a failed financial institution.      \xe2\x99\xa6 IT Specialist (Data Forensics Specialist) under\n                                                             certain circumstances, as determined by the\n                                                             OM/Technical Monitor (TM)\n\xe2\x80\xa2   As the need arises, the FDIC issues a task order,\n    under the terms of the BOA, that details the IT       Source: Statement of Work \xe2\x80\x93 BIS closing support contract.\n    staffing and services required to support a\n    particular failed institution closing. The\n    Contracting Officer (CO) and Oversight\n    Manager (OM) refer to the BOA and the task\n    orders as the BIS closing support contract.\n    Figure 1 illustrates the typical composition of the\n    contractor\xe2\x80\x99s team.\n\n\n\n                                                  3\n\x0cBackground\n\xe2\x80\xa2   As of June 19, 2008, the FDIC had awarded 34 task orders under the BOA, which totaled $8.5 million.\n    Figure 2 summarizes the contractor\xe2\x80\x99s primary responsibilities.\n\n     Figure 2: Summary of the Contractor\xe2\x80\x99s Primary Responsibilities\n\n\n     \xe2\x99\xa6 Coordinate pre-closing plans and activities with the BIS OM/TM, Receiver-in-Charge, and\n       Closing Manager.\n     \xe2\x99\xa6 Secure the failed institution\xe2\x80\x99s on-site data processing operations, communications systems,\n       e-banking services, Fed Wire, Internet service provider, and networks.\n     \xe2\x99\xa6 EDP Manager acts as a point of contact between the closing manager and failed institution\xe2\x80\x99s\n       data processing operations staff and its data processing servicer.\n     \xe2\x99\xa6 Coordinate processing requirements for all FDIC Closing Team Function Areas.\n     \xe2\x99\xa6 Coordinate ongoing operation with the entity purchasing the failed institution.\n     \xe2\x99\xa6 Coordinate imaging and storage of documents associated with the failed institution.\n     \xe2\x99\xa6 Obtain and deliver data file downloads and reports, as required.\n     \xe2\x99\xa6 Map data, convert data, reconcile data to subsidiary trial and general ledger balance totals,\n       and load data to FDIC applications.\n     \xe2\x99\xa6 Provide LAN administration and network support for the FDIC\xe2\x80\x99s accounting system and the\n       Receivership Liability System LANs.\n     \xe2\x99\xa6 Prepare ad hoc reports, letters, and labels, as requested, using mapped downloaded data.\n     \xe2\x99\xa6 Provide general hardware and software support to the FDIC Closing Team.\n     \xe2\x99\xa6 Preserve and analyze (in certain cases, as defined by the BIS OM/TM) data stored in various\n       electronic media such as desktop personal computers, laptops, network storage devices, palm\n       pilots, personal digital assistants, and cell phones.\n    Source: Statement of Work \xe2\x80\x93 BIS closing support contract.\n\n\n\n                                                                4\n\x0cAudit Objectives\n\n           Objective 1              Determine whether the closing support contract used by\n                                    DRR\xe2\x80\x99s BIS Section contains privacy and information\n Privacy and Information Security   security clauses to protect pre-closing and failed\n         Contract Clauses           institution data.\n\n\n           Objective 2              Evaluate the steps the OM takes to ensure the contractor\n                                    is complying with the privacy and information security\n     Steps Taken by the OM          clauses in the contract.\n\n\n\n\n                                5\n\x0c    Audit Approach\nTo accomplish our objectives, we:\n\n      \xe2\x80\x93   Obtained and reviewed contract documents, including the BOA, Statement of Work, and one of the\n          task orders issued for closing support activities.\n\n      \xe2\x80\x93   Reviewed relevant policies and procedures to identify the contracting requirements and the OM\n          responsibilities with regard to privacy and information security.\n\n      \xe2\x80\x93   Obtained information from officials in: the Division of Administration (DOA), including the\n          Contracting Officer (CO); DRR, including the OM and officials in DRR\xe2\x80\x99s ISM Section; and the\n          Division of Information Technology\xe2\x80\x99s (DIT) Information Security and Privacy Staff.\n\n      \xe2\x80\x93   Consulted with the Counsel to the Office of the Inspector General (OIG) to help us evaluate whether\n          security and privacy clauses were consistent with relevant guidance.\n\n\xe2\x80\xa2    We conducted this performance audit from April 2008 through June 2008 in accordance with generally\n     accepted government auditing standards. Additional details on our objectives, scope, and methodology are\n     in Appendix 1.\n\n\n\n\n                                                  6\n\x0cResults of Audit\nPrivacy and Information Security Clauses in the Closing Support Contract\n\n\xe2\x80\xa2   DRR\xe2\x80\x99s closing support BOA contains the necessary privacy and information security clauses consistent\n    with FDIC guidance that was in place when the FDIC awarded the contract. Moreover, the Statement of\n    Work includes a clause requiring that the contractor comply with all FDIC policies and procedures,\n    including any new policies and procedures developed during the contract term. For instance, the contractor\n    would be required to comply with the FDIC\xe2\x80\x99s guidance for safeguarding information described in FDIC\n    Circular 1360.9, Protecting Sensitive Information, which became effective after the contract award date.\n\nSteps Taken by the OM to Ensure Compliance with the Privacy and Information\nSecurity Clauses\n\n\xe2\x80\xa2   The OM is taking multiple steps to ensure the contractor is aware of, and complying with, the privacy and\n    information security clauses. For example, the OM reviewed the contractor\xe2\x80\x99s IT security plan and routinely\n    monitors the status of background investigations for contractor personnel. Further, the OM is planning to\n    take additional steps to ensure the contractor has complied with the FDIC\xe2\x80\x99s training requirements and to\n    sustain contractor attention regarding its responsibilities for safeguarding information.\n\n\n\n\n                                                7\n\x0cResults of Audit\n\xe2\x80\xa2   With regard to IT equipment, as necessitated by a business need at the time the FDIC awarded the BOA,\n    the FDIC did not furnish the contractor with laptops. Therefore, the FDIC relied on the contractor to\n    maintain security features on its laptops consistent with FDIC policies; however, use of the contractor\xe2\x80\x99s\n    laptops created a potential risk related to sensitive FDIC data. In June 2008, DRR established a pool of 25\n    laptop computers supplied by DIT for the contractor\xe2\x80\x99s use to ensure that any sensitive data collected during\n    the resolution process is stored only on FDIC IT equipment. All laptops in the pool are fully encrypted to\n    protect data if the equipment is lost or stolen. Furnishing FDIC equipment allows the FDIC to ensure the\n    security of its laptops and allows contractor personnel to store sensitive data on the laptops as\n    circumstances dictate without violating the FDIC\xe2\x80\x99s policy, established in 2007, for protecting sensitive\n    information.\n\n\xe2\x80\xa2   With regard to the contractor\xe2\x80\x99s laptops used during the resolution process (prior to 2008), the FDIC is\n    requiring the contractor to sanitize those laptops and to provide a certification to the FDIC that this critical\n    step was done in accordance with FDIC standards. The contractor has physically secured all those laptops\n    until the sanitization process is completed. A TM is helping the OM to coordinate with the contractor to\n    ensure the sanitization is done in a timely manner. DRR is responsible for tracking, cleaning, and reissuing\n    the pool of laptops.\n\n\xe2\x80\xa2   We found one area that warrants management attention. The CO and OM found Confidentiality\n    Agreements for only 32 (70 percent) of 46 contractor personnel. Confidentiality Agreements document an\n    individual\xe2\x80\x99s understanding of, and commitment to, safeguarding data and are a key security requirement\n    under the closing support contract. Although the CO and OM were certain that all the agreements had been\n    signed by contractor personnel, neither one had ensured the agreements were maintained in the contract\n    file. As such, we could not verify that agreements had been obtained as required. We are making a\n    recommendation to DOA to establish controls to help ensure that contractor personnel complete and submit\n    the agreements as required and that the CO maintains copies of all agreements in the contract file.\n\n                                                   8\n\x0cPrivacy and Information Security Clauses\nFDIC Guidance for Privacy and Information Security Clauses\n\n\xe2\x80\xa2   The Acquisition Policy Manual (APM) and Interim Acquisition Policy Memorandum 2003-2, Implementing\n    IT Security in FDIC Procurements, dated November 7, 2003, establish the FDIC policies and procedures\n    for incorporating IT security requirements into IT procurements. Additionally, the FDIC revised the\n    standard contracting documents to ensure that IT security requirements were fully addressed in all phases of\n    the IT procurement lifecycle when Memorandum 2003-2 was issued.\n\n\xe2\x80\xa2   The APM and Interim Acquisition Policy Memorandum referenced the following Circulars:\n\n     \xe2\x80\x93   FDIC Circular 1610.2, Security Policy and Procedures for FDIC Contractors and Subcontractors,\n         dated August 1, 2003, establishes the security policy and procedures that must be followed for\n         contractors and subcontractors to do business with the FDIC.\n\n     \xe2\x80\x93   FDIC Circular 1360.17, IT Security Guidance for FDIC Procurements/Third Party Products, dated\n         June 30, 2003, provides guidance regarding the consideration of security in contract planning,\n         incorporation of security requirements in the contract, and the oversight of contractor information\n         security practices.\n\n\n\n\n                                                 9\n\x0cPrivacy and Information Security Clauses\nPrivacy and Information Security Clauses in the Closing Support Contract\n\n\xe2\x80\xa2   DRR worked with DOA to establish IT procurement requirements relevant at the time the closing support\n    BOA was awarded. Since the award of the BOA, the FDIC\xe2\x80\x99s privacy and information security program has\n    continued to evolve. For example, the FDIC issued Circular 1360.9, Protecting Sensitive Information,\n    dated April 30, 2007, which establishes FDIC policy on protecting sensitive information collected and\n    maintained by the Corporation and guidance for safeguarding the information.\n\n\xe2\x80\xa2   The standard contract documents (i.e., BOA, Statement of Work, task order) have been updated to more\n    specifically address the FDIC\xe2\x80\x99s current privacy and information security policies. Further, DOA, DIT, and\n    the Legal Division are currently updating a number of standard clauses to coincide with the new acquisition\n    policy being drafted.\n\n\xe2\x80\xa2   The FDIC\xe2\x80\x99s privacy and information security program has continued to evolve, and the closing support\n    contract documents (i.e., the BOA and Statement of Work) require that the contractor comply with all FDIC\n    policies and procedures, including new policies and procedures developed during the term of the contract.\n\n\xe2\x80\xa2   Table 1 on the next page identifies the FDIC\xe2\x80\x99s key IT procurement requirements and summarizes the\n    clauses contained in the BIS closing support contract that are in place to address the requirements.\n\n\n\n\n                                                10\n\x0cPrivacy and Information Security Clauses\n    Table 1: OIG Analysis of BIS Closing Support Contract Clauses\n           Key IT Procurement                      Corresponding Clause in BIS\n             Requirements                           Closing Support Contract\n                                             ; 1.2 Duties - The contractor must ensure\n                                               that all connections and access to the\n                                               FDIC network and systems are removed\n     Return or Destruction of Hardcopy and     and no longer active when the contract\n             Electronic FDIC Data              expires, and the contractor is subject to\n                                               pre-exit clearance procedures.\n\n                                             ; 3.5.1 Compliance Requirements -\n                                               references the FDIC\xe2\x80\x99s policy related to\n                                               hardcopy and electronic data destruction\n                                               (Circular 1360.17, IT Security Guidance\n                                               for FDIC Procurement/Third Party\n                                               Products, dated June 30, 2007).\n\n                                             ; 3.2 Risk Level Designation - This\n                                               contract has a high-risk designation. The\n            Risk-level Designation             post-award background investigations and\n                                               fingerprinting required for all contractor\n                                               employees will be for this risk level.\n\n\n\n\n                                              11\n\x0cPrivacy and Information Security Clauses\n    Table 1: OIG Analysis of BIS Closing Support Contract Clauses (Continued)\n           Key IT Procurement                      Corresponding Clause in BIS\n             Requirements                           Closing Support Contract\n                                             ; 3.3 Confidentiality of Information, Data,\n                                               and Systems - Contractor must ensure the\n                                               confidentiality of all information, data,\n                                               and systems provided by the FDIC or\n     Contractor Confidentiality Agreements     used or obtained by contractor personnel\n                                               under this contract and prevent\n                                               inappropriate or unauthorized use or\n                                               disclosure. Contractor personnel must\n                                               sign Confidentiality Agreements.\n\n                                             ; 3.1 Background Investigations -\n                                               Contractor personnel are subject to\n                                               background investigations. In addition,\n      Personnel Suitability Requirements       contractor personnel performing work on-\n                                               site must submit to a fingerprint and\n                                               credit check before receiving on-site\n                                               identification and access control badges.\n\n\n\n\n                                              12\n\x0cPrivacy and Information Security Clauses\n    Table 1: OIG Analysis of BIS Closing Support Contract Clauses (Continued)\n           Key IT Procurement                     Corresponding Clause in BIS\n             Requirements                          Closing Support Contract\n                                             ; 1.4 Standard of Performance - The\n                                               contractor must at all times comply with\n                                               FDIC policies, procedures, and directives.\n\n                                             ; 3.5.1 Compliance Requirements - The\n      Reference to FDIC Security Policies,     contractor\xe2\x80\x99s IT Security Plan must be\n       Procedures, Laws, and Regulations       compliant with the identified federal laws\n                                               and policies and procedures.\n\n                                             ; 12.2 Privacy Act - Establishes\n                                               requirements to ensure Privacy Act\n                                               compliance whenever the contractor is\n                                               required to design, develop, or operate a\n                                               system of records on individuals to\n                                               accomplish an FDIC function.\n\n                                             ; 3.5 IT Security Plan - The contractor\n                                               must implement and maintain an IT\n                 Security Plan                 Security Plan that is compliant with\n                                               federal laws and FDIC policies and\n                                               procedures.\n\n\n\n\n                                             13\n\x0cPrivacy and Information Security Clauses\n   Table 1: OIG Analysis of BIS Closing Support Contract Clauses (Continued)\n            Key IT Procurement                      Corresponding Clause in BIS Closing\n              Requirements                                   Support Contract\n                                                    ; 3.6 Training Requirements - The\n                                                      contractor must ensure that its personnel\n        Mandatory Information Security                receive training at least annually in IT\n                  Training                            security awareness and security practices.\n\n                                                    ; 3.7 Security Awareness Website Training -\n                                                      The contractor must review the FDIC\xe2\x80\x99s\n                                                      Security Awareness Website.\n\n\n                                                    ; 3.8.1 Network Access Requirements - The\n                 Network Access                       contractor must comply with all provisions\n                                                      of Circular 1360.17, IT Security Guidance\n                                                      for FDIC IT Procurement/Third Party\n                                                      Products.\n   Source: OIG Analysis of APM, FDIC policies, and BIS closing support contract documents.\n\n\n\n\n                                                       14\n\x0cSteps Taken by the OM\nFDIC Guidance for OMs Related to Privacy and Information Security\n\n\xe2\x80\xa2   Various FDIC policies and procedures describe the OM\xe2\x80\x99s responsibilities for overseeing the contractor\xe2\x80\x99s\n    compliance with privacy and information security clauses. Key guidance is contained in the following:\n\n     \xe2\x80\x93   The FDIC\xe2\x80\x99s APM and interim guidance establish policies and procedures for procuring goods and\n         services, identify roles and responsibilities for all FDIC employees involved in the procurement\n         process, and include specific guidance related to IT security in FDIC procurements.\n\n     \xe2\x80\x93   FDIC Circular 1360.17, IT Security Guidance for FDIC Procurements/Third Party Products, dated\n         June 30, 2003, specifically addresses the OM\xe2\x80\x99s role and responsibilities with respect to the oversight\n         of contractor information security practices.\n\n     \xe2\x80\x93   FDIC Circular 1360.9, Protecting Sensitive Information, dated April 30, 2007, establishes policy on\n         protecting sensitive information collected and maintained by the Corporation and provides guidance\n         for safeguarding the information. This circular describes the OM\xe2\x80\x99s responsibilities with respect to the\n         policy.\n\n\n\n\n                                                15\n\x0cSteps Taken by the OM\nOIG Evaluation of Steps Taken by the OM\n\n\xe2\x80\xa2   We found that the OM for the BIS closing support contract is taking multiple steps to ensure the contractor\n    is aware of, and complying with, the privacy and information security clauses. Additionally, to ensure\n    compliance with FDIC training requirements and sustain focus on the contractor\xe2\x80\x99s responsibility for\n    safeguarding FDIC data, the OM is planning to:\n\n     \xe2\x80\x93   Verify that contractor personnel have completed required information security and privacy awareness\n         training before they work on closing support assignments. We believe this step, coupled with DRR\xe2\x80\x99s\n         routine tracking of completed training, will provide the OM with additional assurance that the\n         contractor is complying with this provision of the contract and FDIC policy.\n\n     \xe2\x80\x93   Meet quarterly with all contractor personnel to reinforce the FDIC\xe2\x80\x99s IT privacy and information\n         security requirements. These meetings will serve as a useful reminder of the FDIC\xe2\x80\x99s policies and\n         procedures for protecting data.\n\n\n\n\n                                                16\n\x0cSteps Taken by the OM\n\xe2\x80\xa2   Furthermore, with regard to IT equipment, the FDIC did not furnish the contractor with laptops as\n    necessitated by a business need at the time the FDIC awarded the contract in 2006. Therefore, the FDIC\n    relied on the contractor to maintain security features on its laptops consistent with FDIC information\n    security standards. In June 2008, DRR established a pool of 25 laptops for the contractor\xe2\x80\x99s use. The\n    laptops were provided by DIT, and all DRR BIS pool laptops are fully encrypted to protect the data if the\n    equipment is lost or stolen. Furnishing FDIC equipment allows the FDIC to ensure the security of\n    information stored on the laptops and allows contractor personnel to store sensitive data on the laptops as\n    circumstances dictate without violating the FDIC\xe2\x80\x99s policy for protecting sensitive information. The FDIC\xe2\x80\x99s\n    Circular 1360.9, Protecting Sensitive Information, states that storage of sensitive electronic information is\n    allowed only on corporate IT equipment. DRR\xe2\x80\x99s BIS is responsible for tracking, cleaning, and reissuing the\n    pool of laptops.\n\n\xe2\x80\xa2   With regard to the contractor\xe2\x80\x99s laptops used from the inception of the contract until June 2008, the FDIC\n    has required the contractor to sanitize (remove sensitive information) those laptops and to certify that it is\n    using FDIC sanitization procedures. The contractor has physically secured all of those laptops until the\n    sanitization process is completed. A TM is (1) helping the OM coordinate with the contractor to ensure that\n    sanitization is done in a timely manner and (2) maintaining a log to track the deployment of FDIC laptops\n    to contractor personnel.\n\n\n\n\n                                                 17\n\x0cSteps Taken by the OM\n\xe2\x80\xa2   We found one area that warrants attention by the CO and the OM. The CO and the OM found signed\n    Confidentiality Agreements for only 32 (70 percent) of 46 contract employees. Confidentiality Agreements\n    are a requirement, under the terms of the BOA, used to establish a mutual agreement between the FDIC and\n    the contractor employee on the appropriate use and disclosure of confidential information. Various FDIC\n    policies, including Circulars 3700.16, 1360.17, 1360.1, and 1360.9 detail the OM\xe2\x80\x99s responsibilities for\n    ensuring that the contractor is complying with the terms of a contract. Additionally, the FDIC APM and\n    interim APM guidance state that contractor personnel must sign and return the Confidentiality Agreements\n    to the CO and that the CO is responsible for ensuring signed agreements are retained in the contract file.\n    The BOA is also clear on the need for contractor employees to return signed Confidentiality Agreements to\n    the CO.\n\n\xe2\x80\xa2   The CO and the OM are certain that all 46 contractor personnel signed the agreements, but the OM stated\n    that some contractor personnel had inadvertently submitted the agreements to the Dallas Regional Office\n    security staff along with background investigation paperwork. The OM is working with the CO to obtain\n    copies of the agreements that are missing from the contract file.\n\n\xe2\x80\xa2   Table 2 on the next page summarizes OM responsibilities and describes the steps being taken and planned\n    by the OM to oversee the contractor\xe2\x80\x99s compliance with privacy and information security requirements.\n\n\n\n\n                                               18\n\x0cSteps Taken by the OM\n   Table 2: OIG Analysis of Oversight Related to Privacy and Information Security\n    OM\xe2\x80\x99s Oversight\n    Responsibility                         Steps Taken                        Ongoing Oversight Planned\n                                ; The OM stated that the terms of the        ; The OM stated that beginning in July\n                                  contract were reviewed at the post-          2008, a quarterly meeting will be held\n   Information Security Roles     award conference with specific               with all contractor personnel to, among\n      and Responsibilities        attention given to information               other things, reinforce the need to\n                                  security.                                    comply with FDIC privacy and\n                                                                               information security program\n                                ; Additionally, the OM and TMs                 requirements.\n                                  provide contractor personnel with\n                                  BIS-specific training that includes a\n                                  module on data protection and\n                                  adherence to all relevant IT directives.\n                                ; The OM works with the CO to ensure         ; The OM will continue to ensure that\n                                  that contractor personnel submit a           new contractor personnel comply with\n                                  fingerprint application and credit           this requirement.\n                                  report authorization to DOA\xe2\x80\x99s\n                                  Security Management Section.\n                                  Contractor employees are not\n   Background Investigations      permitted to begin working on-site\n                                  unless a favorable fingerprint records\n                                  check and credit report are received.\n                                  The OM tracks approvals received\n                                  from DOA\xe2\x80\x99s Security Management\n                                  Section and coordinates with the CO\n                                  and Security Management Section to\n                                  ensure that contractor personnel have\n                                  submitted the paperwork necessary for\n                                  a high-risk position.\n\n\n\n                                                       19\n\x0cSteps Taken by the OM\n   Table 2: OIG Analysis of Oversight Related to Privacy and Information Security (Continued)\n    OM\xe2\x80\x99s Oversight\n    Responsibility                  Steps Taken                     Ongoing Oversight Planned\n                         ; The OM reviewed and approved the        ; The OM will continue to monitor\n                           IT Security Plan submitted by the         compliance with the IT Security Plan\n      IT Security Plan     contractor.                               through ongoing oversight of the\n                                                                     contractor\xe2\x80\x99s performance.\n                         ; The OM also submitted the IT\n                           Security Plan to DRR\xe2\x80\x99s ISM for\n                           review and approval.\n\n\n                         ; The OM maintains a list to track        ; Going forward, the OM plans to verify\n         Training          whether contractor personnel have         that contractor personnel have\n                           received required training. The           completed required IT information\n                           training information is obtained from     security and privacy awareness training\n                           DRR\xe2\x80\x99s ISM. However, this list was         before they work on tasks that involve\n                           not up to date at the time of our         sensitive data. The OM and DRR\xe2\x80\x99s\n                           review, and a TM followed up with         ISM determined that this step, coupled\n                           the ISM to verify that all contractor     with routine tracking of training, would\n                           personnel had received appropriate        provide additional assurance that the\n                           training.                                 contractor personnel met critical\n                                                                     training requirements.\n\n\n\n\n                                               20\n\x0cSteps Taken by the OM\n   Table 2: OIG Analysis of Oversight Related to Privacy and Information Security (Continued)\n    OM\xe2\x80\x99s Oversight\n    Responsibility                      Steps Taken                     Ongoing Oversight Planned\n                             ; The OM, in conjunction with              ; The OM and TMs will continue to\n                               designated TMs, monitors the                 monitor the contractor\xe2\x80\x99s compliance\n                               contractor\xe2\x80\x99s work on-site at Dallas or       with the privacy and information\n       Site Visits and/or      at the site of resolution activity.          security provisions through ongoing\n   Performance Evaluations     Unresolved performance issues are            oversight of the contractor\xe2\x80\x99s\n                               brought to the attention of the CO.          performance. Any issues specific to\n                                                                            privacy or information security will be\n                             ; The CO, TMs, and OM meet biweekly            discussed at the biweekly contract\n                               with key contractor personnel and            status meetings as needed.\n                               FDIC subject matter experts to discuss\n                               performance or other contract issues.\n                             ; Until June 2008, contractor personnel    ; DRR has a pool of 25 FDIC laptops\n                               used their own stand-alone laptops.        supplied by DIT for the BIS closing\n       Secure Network          The OM stated the contractor\xe2\x80\x99s             support contract work in lieu of relying\n         Equipment             laptops were equipped with necessary       on the contractor to maintain its laptops\n                               security and encryption tools in order     consistent with FDIC security\n                               to protect data. The OM also stated        requirements. All DRR BIS pool\n                               that FDIC data was not stored on           laptops are fully encrypted to protect\n                               contractor equipment unless contractor     the data if the equipment is lost or\n                               personnel were in a \xe2\x80\x9ctravel mode.\xe2\x80\x9d         stolen.\n                                                                        ; DRR is responsible for tracking,\n                             ; FDIC desktops are available in a           cleaning, and reissuing the laptops in\n                               secure room for contractor personnel       the pool. A TM is maintaining a log to\n                               use to upload data to FDIC systems.        track the deployment of the laptops to\n                                                                          contractor personnel.\n                                                                        ; With regard to the contractor\xe2\x80\x99s laptops\n                                                                          used prior to June 2008, the contractor\n                                                                          is currently sanitizing its laptops and\n                                                                          must provide a certification to the FDIC\n                                                                          that this critical step was completed in\n                                                                          accordance with FDIC standards. The\n                                                                          OM and a TM are coordinating with the\n                                                                          contractor to ensure this process is\n                                                                          completed in a timely manner.\n\n\n\n                                                         21\n\x0cSteps Taken by the OM\n  Table 2: OIG Analysis of Oversight Related to Privacy and Information Security (Continued)\n   OM\xe2\x80\x99s Oversight\n   Responsibility                        Steps Taken                     Ongoing Oversight Planned\n                             ; The OM stated that contractor            ; The CO is responsible for obtaining the\n                               employees were submitting the              Confidentiality Agreements for the\n                               Confidentiality Agreements along with      contractor personnel. Currently, the\n                               their background investigation forms       OM is working with the CO to obtain\n       Confidentiality         to the Dallas Security Section.            copies of all the Confidentiality\n        Agreements             However, the Confidentiality               Agreements from the contractor\n                               Agreements should have been                personnel. Going forward, the OM\n                               submitted to the CO and placed in the      plans to work closely with the CO to\n                               contract file.                             ensure that Confidentiality Agreements\n                                                                          for new contractor personnel are\n                             ; Because this was not done, the CO          included in the contract file. We made\n                                 and OM found copies of agreements        a recommendation to DOA to\n                                 for only 32 of the 46 contractor         strengthen controls in this area.\n                                 personnel working on this contract.\n                                 We could not, therefore, verify that all\n                                 contractor personnel working on this\n                                 contract had, in fact, executed\n                                 Confidentiality Agreements.\n  Source: OIG Analysis of FDIC policies and discussions with CO, OM, and TM.\n\n\n\n\n                                                     22\n\x0cConclusion\n\xe2\x80\xa2   DRR\xe2\x80\x99s closing support BOA contains the necessary privacy and information security clauses consistent\n    with FDIC guidance that was in place when the FDIC awarded the BOA. The OM plays a key role in\n    ensuring that the contractor complies with the FDIC\xe2\x80\x99s security requirements in order to help ensure that\n    sensitive information is protected. As Table 2 indicates, we found that the steps being taken by the OM for\n    the BIS closing support contract aligned with established OM responsibilities. In addition, the OM is\n    planning to take steps to ensure the contractor has complied with the FDIC\xe2\x80\x99s training requirements and to\n    sustain contractor attention on its responsibilities for safeguarding information, including:\n\n     \xe2\x80\x93   Working with the ISM to verify that all contractor personnel have completed required privacy and IT\n         security awareness training. In addition to routine tracking that occurs, the OM and ISM determined\n         they will also begin verifying that contractor personnel have complied with annual training\n         requirements before individual contractor employees are assigned to closing support tasks.\n\n     \xe2\x80\x93   Ensuring the contractor completes the sanitization process and provides the FDIC with the necessary\n         certification.\n\n     \xe2\x80\x93   Keeping an up-to-date accurate log of FDIC-furnished equipment to minimize the risk to sensitive\n         corporate data.\n\n\n\n\n                                                23\n\x0cRecommendation\n\xe2\x80\xa2   We recommend that the Director, DOA:\n\n     \xe2\x80\x93   Develop a control mechanism to ensure that COs obtain signed Confidentiality Agreements from all\n         contractor personnel required to submit such agreements and that copies of those agreements are\n         maintained in the contract file.\n\n\n\n\n                                              24\n\x0cCorporation Comments and OIG\nEvaluation\n\xe2\x80\xa2   On August 28, 2008, the Director, DOA, provided a written response to the draft of this report.\n    Management\xe2\x80\x99s response is presented in its entirety in Appendix 2. Management concurred with our finding\n    and recommendation.\n\n\xe2\x80\xa2   In response to the recommendation, DOA\xe2\x80\x99s Acquisition Services Branch will include Confidentiality\n    Agreements in the Contracts Internal Review Checklist, currently under development, to ensure that\n    Confidentiality Agreements are provided by the contractor and that the CO has uploaded these agreements\n    into the contract file at the time of contract award and whenever changes occur in personnel required to\n    submit the agreements.\n\n\xe2\x80\xa2   A summary of management\xe2\x80\x99s response to the recommendation is in Appendix 3. DOA\xe2\x80\x99s planned actions\n    are responsive to our recommendation. The recommendation is resolved but will remain open until we\n    determine that the agreed-to corrective actions have been completed and are responsive.\n\n\n\n\n                                               25\n\x0c                                                                                                APPENDIX 1\n                           OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\nObjectives\n\n      The objectives of this audit were to (1) determine whether the closing support contract\n      used by DRR\xe2\x80\x99s BIS Section contains privacy and information security clauses to protect\n      pre-closing and failed institution data and (2) evaluate the steps the OM takes to ensure\n      the contractor is complying with the privacy and information security clauses.\n\n      We conducted this performance audit from April 2008 through June 2008 in accordance\n      with generally accepted government auditing standards. Those standards require that we\n      plan and perform the audit to obtain sufficient, appropriate evidence to provide a\n      reasonable basis for our findings and conclusions based on our audit objectives. We\n      believe that the evidence obtained provides a reasonable basis for our findings and\n      conclusions based on our audit objectives.\n\n\nScope and Methodology\n\n      The scope of this assignment focused on privacy and information security clauses in the\n      BIS closing support contract (BOA-FDIC1-050) and one task order (Task Order 2007-\n      006), awarded under the BOA. We reviewed these documents to determine if the privacy\n      and security clauses are in compliance with FDIC policies. We selected this task order\n      because it accounted for approximately 43 percent of the total amount awarded as of\n      June 19, 2008. 1 For purposes of evaluating the steps taken by the OM to monitor\n      compliance with the contract clauses related to security and privacy awareness training,\n      background investigations, and Confidentiality Agreements, we took into consideration\n      all 46 of the contractor personnel the OM and CO identified as working on the task order\n      under the BOA.\n\n\n      Evaluation of the Privacy and Security Clauses\n\n      To achieve our objectives, we:\n\n          \xe2\x80\xa2   Obtained and reviewed various contract-related documents, including the BOA,\n              Task Order 2007-006, the Statement of Work, and the contractor\xe2\x80\x99s IT Security\n              Plan.\n\n          \xe2\x80\xa2   Obtained information from officials in DOA\xe2\x80\x99s Acquisition Services Branch and\n              DIT\xe2\x80\x99s Information Security and Privacy Staff to gain an understanding of privacy\n              and information security clause guidance that existed when the BOA was awarded\n              in 2006 as well as to gain an understanding of evolving requirements. We also\n              interviewed officials in DRR, including the OM and a TM, and representatives\n              from DRR\xe2\x80\x99s Information Security Unit.\n      1\n        The contract total as of June 19, 2008 was $8,475,611. The results of a non-statistical sample cannot be\n      projected to the intended population by standard statistical methods.\n\n\n                                                          26\n\x0c                                                                                 APPENDIX 1\n\n\n          \xe2\x80\xa2   Reviewed the FDIC\xe2\x80\x99s policies and procedures, including:\n\n                   o The FDIC\xe2\x80\x99s APM and Interim Acquisition Policy Memorandum 2003.2,\n                     Implementing IT Security in FDIC Procurements.\n\n                   o Circular 1360.1, DRR Information Security Responsibilities, dated\n                     November 18, 2005.\n\n                   o Circular 1360.16, Mandatory Information Security Awareness Training,\n                     dated July 23, 2002.\n\n                   o Circular 1360.17, IT Security Guidance for FDIC Procurement/Third\n                     Party Products, dated June 30, 2003.\n\n                   o Circular 1360.9, Protecting Sensitive Information, dated April 30, 2007.\n\n                   o Circular 1610.2, Security Policy and Procedures for FDIC Contractors\n                     and Subcontractors, dated August 1, 2003.\n\n                   o Circular 3700.16, DRR Contract Management, dated January 17, 2008.\n\n                   o DRR\xe2\x80\x99s Guidelines for Protecting Sensitive Information.\n\n          \xe2\x80\xa2   Consulted with the Counsel to the OIG to evaluate the privacy and information\n              security contract clauses.\n\n\nInternal Control\n\n      We assessed key FDIC internal controls related to privacy and security clauses,\n      including:\n\n          \xe2\x80\xa2   Relevant FDIC and DRR policies, procedures, guidance, and training.\n\n          \xe2\x80\xa2   The roles and responsibilities of the OM and TMs.\n\n      Additionally, we selected a random sample of contractor personnel and verified that\n      DOA\xe2\x80\x99s Security Management Section had completed required background investigations\n      for the sampled contractor personnel commensurate with the high-risk designation for\n      this contract. We noted no exceptions.\n\n\n\n\n                                                  27\n\x0c                                                                                   APPENDIX 1\n\n\nReliance on Computer-processed Information\n\n      Our audit objective did not require that we assess the reliability of computer-processed\n      information, and we did not rely on computer-processed information to support our\n      significant findings, conclusions, and recommendations. Our assessment centered on\n      reviewing hardcopy contract documentation provided by the CO and OM.\n\n\nPerformance Measurement\n\n      We reviewed the FDIC\xe2\x80\x99s 2005-2010 Strategic Plan and 2008 Annual Performance Plan\n      to identify and understand the FDIC\xe2\x80\x99s goals, objectives, and ongoing initiatives related to\n      privacy and information security. The FDIC\xe2\x80\x99s 2008 Annual Performance Plan provides\n      an overview of planned 2008 initiatives to enhance the Corporation\xe2\x80\x99s management of its\n      key strategic resources. Initiatives address IT Resource Management, the Corporate\n      Privacy Program, and Information Security Program.\n\n      DIT has issued a Privacy Program Strategic Framework that establishes a formal,\n      comprehensive strategic framework that integrates the FDIC\xe2\x80\x99s privacy program mission,\n      vision, principles, goals and objectives, governance structure, key initiatives and\n      activities, performance measurement, monitoring and methods for reporting, and roles\n      and responsibilities.\n\n\nCompliance With Laws and Regulations\n\n      The following laws and regulations were relevant to our objectives.\n\n         \xe2\x80\xa2   Privacy Act of 1974;\n         \xe2\x80\xa2   Gramm-Leach Bliley Act;\n         \xe2\x80\xa2   Section 522 of the Transportation, Treasury, Independent Agencies, and General\n             Government Appropriations Act 2005;\n         \xe2\x80\xa2   FDIC\xe2\x80\x99s Rules and Regulations \xe2\x80\x93 Parts 309, Disclosure of Information; and 310,\n             Privacy Act Regulations; and\n         \xe2\x80\xa2   12 Code of Federal Regulations Part 366, Minimum Standard of Integrity and\n             Fitness for an FDIC Contractor.\n\n      We found no instances where the FDIC was not in compliance with applicable laws and\n      regulations.\n\n      We assessed the risk of fraud and abuse related to the audit objective in the course of\n      evaluating audit evidence.\n\n\n\n\n                                                  28\n\x0c                                                                                   APPENDIX 1\n\n\nPrior Coverage\n\n      We considered the following reports issued by the FDIC OIG in planning and conducting\n      our work:\n\n         \xe2\x80\xa2   Audit Report No. 07-013 entitled, Response to Privacy Program Information\n             Request in OMB\xe2\x80\x99s Fiscal Year 2007 Reporting Instructions for FISMA and\n             Agency Privacy Management, dated September 2007. The objective of the audit\n             was to assess the status of the FDIC\xe2\x80\x99s privacy program activities and initiatives.\n             The reported concluded that the FDIC continues to take action to safeguard its\n             personally identifiable information (PII) and related systems and address privacy-\n             related provisions of recent Office of Management and Budget memoranda. Of\n             particular note, the FDIC has provided privacy-awareness training. The report\n             contained no recommendations.\n\n         \xe2\x80\xa2   Audit Report No. 07-010 entitled, Division of Resolutions and Receiverships\n             Protection of Electronic Records, dated September 2007. The objective of the\n             audit was to evaluate the design and implementation of selected controls\n             established by DRR for safeguarding sensitive electronic information collected\n             and maintained as a result of resolution and receivership activities at FDIC-\n             insured institutions. DRR has established a number of important controls to\n             safeguard the sensitive electronic information it collects and maintains as a result\n             of resolution and receivership activities at FDIC-insured financial institutions.\n             However, a number of deficiencies were identified that increased the risk of\n             unauthorized use of sensitive information. DRR and DIT security officials took\n             prompt action to restrict access to vulnerable sensitive information that we\n             identified during the audit and agreed to the four recommendations made in the\n             report to strengthen controls.\n\n         \xe2\x80\xa2   Evaluation Report No. EM-07-004 entitled, Risk Designation Levels for\n             Information Technology Staff and Privacy Act Clauses in FDIC Contracts, dated\n             August 2007. The objective of the evaluation was to identify best practices at\n             other federal agencies pertaining to risk designation levels for IT agency staff and\n             Privacy Act clauses in FDIC contracts. With regard to the contract clauses, the\n             report states that the Privacy Act clause currently incorporated in FDIC contracts\n             was consistent with federal contracting requirements.\n\n         \xe2\x80\xa2   Audit Report No. 06-017 entitled, DRR\xe2\x80\x99s Protection of Bank Employee and\n             Customer Personally Identifiable Information, dated September 2006. The\n             objective of this audit was to determine whether DRR adequately protects PII\n             collected and maintained as a result of resolution and receivership functions. The\n             audit focused attention on DRR efforts to protect PII in hardcopy form. DRR has\n             established certain controls over the resolution and receivership process,\n             addressing the protection of sensitive bank employee and customer PII. However,\n             given the increased risks associated with, and attention being placed on, identity\n             theft, the audit identified opportunities for DRR to strengthen controls over its\n\n\n                                                  29\n\x0c                                                                      APPENDIX 1\n\n\n    handling of sensitive bank employee and customer PII obtained during the\n    resolution and receivership process. In particular, DRR had not established a\n    Records Management Program that defines recordkeeping requirements for the\n    inventory, maintenance, control, and use of hardcopy documents. The report\n    recommended that DRR work with DOA, and other cognizant FDIC divisions and\n    offices, in developing a DRR Records Management Program. DRR agreed with\n    the recommendation.\n\n\xe2\x80\xa2   Audit Report No. 03-043, Follow-up Audit of Information Security Management\n    of FDIC Contractors, dated September 2003. The objective of this audit was to\n    determine whether the FDIC had made adequate progress in addressing\n    recommendations in Audit Report No. 02-035 entitled, Information Security\n    Management of FDIC Contractors, dated September 2002. The audit focused on\n    information security in acquisition planning, contract security provisions, and\n    contractor oversight. The report concluded that the FDIC had developed and was\n    finalizing policies and procedures to address the prior audit report\xe2\x80\x99s\n    recommendations regarding security in acquisition planning, contract\n    requirements, and contractor oversight. The report included a recommendation\n    for the FDIC to update its Policy on Off-site Contractor Network Connectivity.\n    The FDIC agreed to the recommendation.\n\n\n\n\n                                       30\n\x0c                       APPENDIX 2\n\nCORPORATION COMMENTS\n\x0c     APPENDIX 2\n\n\n\n\n32\n\x0c                                                                                        APPENDIX 3\n\n              MANAGEMENT RESPONSE TO THE RECOMMENDATION\n\n\nThis table presents the management response on the recommendation in our report and the status\nof the recommendation as of the date of report issuance.\n\n Corrective Action: Taken             Expected\n      or Planned for the             Completion          Monetary    Resolved:a Open or\n      Recommendation                     Date            Benefits    Yes or No Closedb\nDOA\xe2\x80\x99s Acquisition Services          December 31,           $0        Yes        Open\nBranch will include                 2008\nConfidentiality Agreements in\nthe Contracts Internal Review\nChecklist, currently under\ndevelopment, to ensure that\nConfidentiality Agreements\nare provided by the contractor\nand that the CO has uploaded\nthese agreements into the\ncontract file.\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                   corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but alternative action meets the\n                   intent of the recommendation.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0)\n                   amount. Monetary benefits are considered resolved as long as management provides an\n                   amount.\nb\n  Once the OIG determines that the agreed-upon corrective actions have been completed and are responsive\nto the recommendation, the recommendation can be closed.\n\n\n\n\n                                                    33\n\x0c                                                  APPENDIX 4\n\n             ACRONYMS USED IN THE REPORT\n\n\nAPM   Acquisition Policy Manual\nBIS   Business Information Systems\nBOA   Basic Ordering Agreement\nCO    Contracting Officer\nDIT   Division of Information Technology\nDOA   Division of Administration\nDRR   Division of Resolutions and Receiverships\nEDP   Electronic Data Processing\nISM   Information Security Manager\nIT    Information Technology\nLAN   Local Area Network\nOM    Oversight Manager\nPII   Personally Identifiable Information\nTM    Technical Monitor\n\n\n\n\n                                 34\n\x0c'